ISE-FS-200 INFORMATION SHARING ENVIRONMENT (ISE) FUNCTIONAL STANDARD (FS) SUSPICIOUS ACTIVITY REPORTING (SAR) VERSION 1.5.5 1. Authority. Homeland Security Act of 2002, as amended; The Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA), as amended; Presidential Memorandum dated April 10, 2007 (Assignment of Functions Relating to the Information Sharing Environment); Presidential Memorandum dated December 16, 2005 (Guidelines and Requirements in Support of the Information Sharing Environment); DNI memorandum dated May 2, 2007 (Program Manager’s Responsibilities); Executive Order 13388; and other applicable provisions of law, regulation, or policy. 2. Purpose. This issuance updates the Functional Standard for ISE-SARs and is one of a series of Common Terrorism Information Sharing Standards (CTISS) issued by the Program Manager for the Information Sharing Environment (PM-ISE). While limited to describing the ISE-SAR process and associated information exchanges, information from this process may support other ISE processes, to include alerts, warnings, and notifications; situational awareness reporting; and terrorist watchlisting. 3. Applicability. This ISE-SAR Functional Standard applies to all departments or agencies that possess or use terrorism or homeland security information or intelligence, operate systems that support or interface with the ISE, or otherwise participate (or expect to participate) in the ISE, as specified in Section 1016(i) of the IRTPA, and in the Nationwide Suspicious Activity Reporting (SAR) Initiative (NSI). 4. References. ISE Implementation Plan, November 2006; ISE Enterprise Architecture Framework (EAF), Version 2.0, September 2008; Initial Privacy and Civil Liberties Analysis for the Information Sharing Environment, Version 1.0, September 2008; Privacy, Civil Rights, and Civil Liberties Analysis and Recommendations, Nationwide Suspicious Activity Reporting Initiative (July 2010); ISE-AM-300: Common Terrorism Information Standards Program, October 31, 2007; Common Terrorism Information Sharing Standards Program Manual, Version 1.0, October 2007; National Information Exchange Model, Concept of Operations (CONOPS), Version 0.5, January 9, 2007; 28 Code of Federal Regulations (CFR) Part 23; Executive Order 13526 (Classified National Security Information), December 29, 2009; Nationwide Suspicious Activity Reporting Concept of Operations, December 2008; ISE Suspicious Activity Reporting Evaluation Environment (EE) Segment Architecture, December 2008; ISE-SAR Functional Standard v. 1.5 (2009); and the National Strategy for Information Sharing and Safeguarding, December 2012; NSI SAR Data Repository (SDR) CONOPS, January 2014. 1
60
Embed
Information Sharing Environment Functional Standard ... · ISE-FS 200 INFORMATION SHARING ENVIRONMENT (ISE) FUNCTIONAL STANDARD (FS) SUSPICIOUS ACTIVITY REPORTING (SAR) VERSION 1.5.5
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
ISE-FS-200
INFORMATION SHARING ENVIRONMENT (ISE)
FUNCTIONAL STANDARD (FS)
SUSPICIOUS ACTIVITY REPORTING (SAR)
VERSION 1.5.5
1. Authority. Homeland Security Act of 2002, as amended; The Intelligence Reform and
Terrorism Prevention Act of 2004 (IRTPA), as amended; Presidential Memorandum dated
April 10, 2007 (Assignment of Functions Relating to the Information Sharing Environment);
Presidential Memorandum dated December 16, 2005 (Guidelines and Requirements in
Support of the Information Sharing Environment); DNI memorandum dated May 2, 2007
(Program Manager’s Responsibilities); Executive Order 13388; and other applicable provisions of law, regulation, or policy.
2. Purpose. This issuance updates the Functional Standard for ISE-SARs and is one of a series
of Common Terrorism Information Sharing Standards (CTISS) issued by the Program
Manager for the Information Sharing Environment (PM-ISE). While limited to describing the
ISE-SAR process and associated information exchanges, information from this process may
support other ISE processes, to include alerts, warnings, and notifications; situational
awareness reporting; and terrorist watchlisting.
3. Applicability. This ISE-SAR Functional Standard applies to all departments or agencies that
possess or use terrorism or homeland security information or intelligence, operate systems
that support or interface with the ISE, or otherwise participate (or expect to participate) in the
ISE, as specified in Section 1016(i) of the IRTPA, and in the Nationwide Suspicious Activity
Reporting (SAR) Initiative (NSI).
4. References. ISE Implementation Plan, November 2006; ISE Enterprise Architecture
Framework (EAF), Version 2.0, September 2008; Initial Privacy and Civil Liberties Analysis
for the Information Sharing Environment, Version 1.0, September 2008; Privacy, Civil
Rights, and Civil Liberties Analysis and Recommendations, Nationwide Suspicious Activity
Reporting Initiative (July 2010); ISE-AM-300: Common Terrorism Information Standards
Program, October 31, 2007; Common Terrorism Information Sharing Standards Program
Manual, Version 1.0, October 2007; National Information Exchange Model, Concept of
Operations (CONOPS), Version 0.5, January 9, 2007; 28 Code of Federal Regulations (CFR)
Part 23; Executive Order 13526 (Classified National Security Information), December 29,
2009; Nationwide Suspicious Activity Reporting Concept of Operations, December 2008;
ISE Suspicious Activity Reporting Evaluation Environment (EE) Segment Architecture,
December 2008; ISE-SAR Functional Standard v. 1.5 (2009); and the National Strategy for
Information Sharing and Safeguarding, December 2012; NSI SAR Data Repository (SDR)
CONOPS, January 2014.
1
ISE-FS-200
5. Definitions.
a. Artifact: Detailed mission product documentation addressing information exchanges and
data elements for ISE-SAR (data models, schemas, structures, etc.).
b. Common Terrorism Information Sharing Standards (CTISS): Business process-driven,
performance-based “common standards” for preparing terrorism-related (and other)
information for maximum distribution and access, to enable the acquisition, access,
retention, production, use, management, and sharing of terrorism-related information
within the ISE. CTISS, such as this ISE-SAR Functional Standard, are implemented in
ISE participants’ infrastructures as described in the ISE EAF. CTISS identifies two
categories of common standards:
1. Functional standards—set forth rules, conditions, guidelines, and characteristics of
data and mission products supporting ISE business process areas.
2. Technical standards—document specific technical methodologies and practices to
design and implement information sharing capability into ISE systems.
c. Nationwide SAR Initiative (NSI) SAR Data Repository (SDR): The NSI SDR consists of
a single data repository, built to respect and support originator control and local
stewardship of data, which incorporates Federal, State, and local retention policies.
Within the SDR, hosted data enclaves extend this approach to information management
and safeguarding practices by ensuring a separation of data across participating agencies.
d. eGuardian: eGuardian is the FBI’s unclassified, Web-based system for receiving,
tracking, and sharing ISE-SARs in the NSI as well as receiving and documenting other
terrorism-related information, such as watchlist encounters or terrorism-related events,
and other cyber or criminal threat information. (All information that is available to NSI
participants through the eGuardian SDR will be vetted by a trained fusion center or
Federal agency analyst or investigator to ensure that it meets the vetting standard for an
ISE-SAR (i.e., a SAR that has been determined, pursuant to a two-part process, to have a
potential nexus to terrorism). ISE-SARs loaded into eGuardian are pushed to the FBI’s Guardian system, a classified counterpart to eGuardian, in which the FBI and its JTTFs
compare investigative lead information with other holdings available to the FBI in its
capacity as a member of the Intelligence Community.
e. Field Intelligence Groups (FIGs): The hub of the FBI’s intelligence program in the field,
FIGs are the primary mechanism through which FBI field offices identify, evaluate, and
prioritize threats within their territories. Using dissemination protocols, FIGs contribute
to regional and local perspectives on threats and serve as the FBI’s link among fusion
centers, the JTTFs, and the Intelligence Community.
f. Fusion center: “A collaborative effort of two or more Federal, State, local, tribal, or
territorial (SLTT) government agencies that combines resources, expertise, or
information with the goal of maximizing the ability of such agencies to detect, prevent,
2
ISE-FS-200
investigate, apprehend, and respond to criminal or terrorist activity.” (Source: Section 511 of the 9/11 Commission Act). State and major urban area fusion centers serve as
focal points within the State and local environment for the receipt, analysis, gathering,
and sharing of threat-related information between the Federal government and SLTT and
private-sector partners.
g. Information exchange: The transfer of information from one organization to another
organization, in accordance with CTISS defined processes.
h. Information Sharing Environment-Suspicious Activity Report (ISE-SAR): An ISE-SAR
is a SAR (as defined below in 5.t) that has been determined, pursuant to a two-part
process, to have a potential nexus to terrorism (i.e., to be reasonably indicative of
criminal activity associated with terrorism). ISE-SAR business rules and privacy and
civil liberties requirements will serve as a unified process to support the reporting,
tracking, processing, storage, and retrieval of terrorism-related suspicious activity reports
across the ISE.
i. Joint Terrorism Task Forces (JTTFs): The FBI’s JTTFs are interagency task forces designed to enhance communication, coordination, and cooperation in countering
terrorist threats. They combine the resources, talents, skills, and knowledge of Federal,
State, territorial, tribal, and local law enforcement and homeland security agencies, as
well as the Intelligence Community, into a single team that investigates and/or responds
to terrorist threats. The JTTFs execute the FBI’s lead Federal agency responsibility for
investigating terrorist acts or terrorist threats against the United States.
j. National Information Exchange Model (NIEM): A joint technical and functional
standards program initiated by the Department of Homeland Security (DHS) and the
Department of Justice (DOJ) that supports national-level interoperable information
sharing.
k. Nationwide Suspicious Activity Reporting (SAR) Initiative (NSI): The NSI establishes
standardized processes and policies that provide the capability for Federal, SLTT,
campus, and railroad law enforcement and homeland security agencies to share timely,
relevant ISE-SARs through a distributed information sharing system that protects
privacy, civil rights, and civil liberties.
l. Owning agency/organization: The organization that owns the target associated with the
suspicious activity.
m. Personally identifiable information: Information that may be used to identify an
individual (i.e., data elements in the identified “privacy fields” of this ISE-SAR
Functional Standard).
n. Pre-operational planning: Pre-operational planning describes activities associated with a
known or particular planned criminal operation or with terrorist operations generally.
3
ISE-FS-200
o. Privacy field: A data element that may be used to identify an individual and, therefore, is
subject to privacy protection.
p. Reasonably indicative: This operational concept for documenting and sharing suspicious
activity report takes into account the circumstances in which that observation is made,
which creates in the mind of the reasonable observer, including a law enforcement
officer, an articulable concern that the behavior may indicate pre-operational planning
associated with terrorism or other criminal activity.1 It also takes into account the
training and experience of a reasonable law enforcement officer, in cases in which an
officer is the observer or documenter of the observed behavior reported to a law
enforcement agency.
q. Source agency/organization: The agency or entity that originates the SAR report
(examples include a local police department, a private security firm handling security for
a power plant, and a security force at a military installation). The source organization will
not change throughout the life of the SAR.
r. Submitting agency/organization: The organization that actuates the push of the ISE-SAR
to the NSI community. The submitting organization and the source organization may be
the same.
s. Suspicious activity: Observed behavior reasonably indicative of pre-operational planning
associated with terrorism or other criminal activity.
t. Suspicious Activity Report (SAR): Official documentation of observed behavior
reasonably indicative of pre-operational planning associated with terrorism or other
criminal activity.
6. Guidance. This Functional Standard is hereby established as the nationwide ISE Functional
Standard for identifying ISE-SARs. It is based on documented information exchanges and
business requirements and describes the structure, content, and products associated with
processing, integrating, and retrieving ISE-SARs by ISE agencies participating in the NSI.
7. Responsibilities.
a. The PM-ISE, in consultation with the Information Sharing and Access Interagency Policy
Committee (ISA IPC), will:
(1) Maintain and administer this ISE-SAR Functional Standard, to include:
(a) Updating the business process and information flows for ISE-SAR.
1 It should be noted that for purposes of the evaluation and documentation of an ISE-SAR (See 5. h., above), the
term “other criminal activity” must refer to criminal activity associated with terrorism and must fall within the scope
of the 16 terrorism pre-operational behaviors identified in Part B of this Functional Standard.
4
ISE-FS-200
(b) Updating data elements and product definitions for ISE-SAR.
(2) Publish and maintain configuration management of this ISE-SAR Functional
Standard.
(3) Assist with the development of ISE-SAR implementation guidance, training, and
governance structure, as appropriate, to address privacy, civil rights, and civil
liberties-related policy, architecture, and legal issues.
(4) Work with ISE agencies participating in the NSI, through the ISA IPC governance
process, to develop a new or modified ISE-SAR Functional Standard, as needed and
recognize the separate process for DHS and the FBI to update the behavioral
examples in Part B ISE-SAR Criteria Guidance to rapidly reflect emerging threats
and trends.
(5) Coordinate, publish, and monitor implementation and use of this ISE-SAR
Functional Standard, and coordinate with the White House Office of Science and
Technology Policy and with the National Institute of Standards and Technology (in
the Department of Commerce) for broader publication, as appropriate.
b. Each ISA IPC member and other affected organizations shall:
(1) Propose modifications to the PM-ISE for this Functional Standard, as appropriate.
(2) As appropriate, incorporate this ISE-SAR Functional Standard, and any subsequent
implementation guidance, into budget activities associated with relevant current
(operational) mission specific programs, systems, or initiatives (e.g., operations and
maintenance [O&M] or enhancements).
(3) As appropriate, incorporate this ISE-SAR Functional Standard, and any subsequent
implementation guidance, into budget activities associated with future or new
development efforts for relevant mission-specific programs, systems, or initiatives
(e.g., development, modernization, or enhancement [DME]).
(4) Ensure that incorporation of this ISE-SAR Functional Standard, as set forth in 7.b
(2) or 7.b (3) above, is done in compliance with ISE Privacy Guidelines and any
additional guidance provided by the ISA IPC Privacy and Civil Liberties
Subcommittee (P/CL Subcommittee).
(5) Ensure that incorporation of this ISE-SAR Functional Standard, as set forth in 7.b
(1) or 7.b (2) above, is done without impact on federal agencies’ lawful collection,
maintenance, dissemination, and use of information, as provided by federal law.
5
ISE-FS-200
8. Effective Date and Expiration. This /SE-SAR Functional Standard supersedes the Information Sharing Environment, Functional Standard, Suspicious Activity Reporting, v. 1.5 (2009), is effective immediately, and will remain in effect as the updated ISE-SAR Functional Standard until further updated, superseded, or cancelled.
6
Program Manager for the Information Sharing Environment
Date: February 23. 2015
ISE-FS-200
Document Change History
Document Title ISE-SAR Functional Standard
Document Owner PM-ISE
Document Responsibility PM-ISE
Document Version 1.5.5
Document Status
Version Control Summary
Date Version Changed
by
Change Description
2/23/15 1.5.5 Update to version 1.5 promulgated
Future Releases
Date Version Proposed
7
ISE-FS-200
PART A—ISE-SAR FUNCTIONAL STANDARD ELEMENTS
SECTION I: DOCUMENT OVERVIEW
List of ISE-SAR Functional Standard Technical Artifacts
The full ISE-SAR information exchange contains five types of supporting technical artifacts.
This documentation provides details of implementation processes and other relevant reference
materials. A synopsis of the ISE-SAR Functional Standard technical artifacts is contained in
Table 1 below.
Table 1 – Functional Standard Technical Artifacts2
Artifact Type Artifact Artifact Description
Development and
Implementation
Tools
1. Component Mapping
Template (CMT)
(SAR-to-NIEM)
This spreadsheet captures the ISE-SAR
information exchange class and data element
(source) definitions and relates each data element
to corresponding National Information Exchange
Model (NIEM) Extensible Mark-Up Language
(XML) elements and NIEM elements, as
appropriate.
2. NIEM Wantlist The Wantlist is an XML file that lists the elements
selected from the NIEM data model for inclusion
in the Schema Subset. The Schema Subset is a
compliant version to both programs that has been
reduced to only those elements actually used in the
ISE-SAR document schema.
3. XML Schemas The XML Schema provides a technical
representation of the business data requirements.
They are a machine-readable definition of the
structure of an ISE-SAR-based XML Message.
4. XML Sample Instance The XML Sample Instance is a sample document
that has been formatted to comply with the
structures defined in the XML Schema. It provides
the developer with an example of how the ISE-
SAR schema is intended to be used.
5. Codified Data Field
Values
Listings, descriptions, and sources as prescribed
by data fields in the ISE-SAR Functional
Standard.
2 Development and implementation tools may be accessible through www.ise.gov. In addition, updated versions of
this Functional Standard should conform with NIEM.
This ISE-SAR Functional Standard has been designed to incorporate key elements that describe
pre-operational behaviors that are criminal in nature and have historically been associated with
terrorism.3 The NSI includes law enforcement,4 homeland security,5 and other information
sharing partners at the Federal, SLTT levels, including State and major urban area fusion centers,
to the full extent permitted by law. In addition to providing specific indications about possible
terrorism-related behaviors, ISE-SARs can be used to look for patterns and trends by analyzing
information at a broader level than would typically be recognized within a single jurisdiction,
including SLTT jurisdictions. Standardized and consistent sharing of ISE-SARs among State and
major urban area fusion centers and Federal agencies participating in the NSI is vital to
assessing, deterring, preventing, or prosecuting those involved in criminal activities with a
potential nexus to terrorism (i.e., to be reasonably indicative of pre-operational planning
associated with terrorism). This ISE-SAR Functional Standard has been designed to incorporate
key elements that describe pre-operational behaviors historically associated with terrorism.
B. ISE-SAR Scope
An ISE-SAR is a SAR that has been determined by a trained analyst or investigator, pursuant to
a two-part process,6 to have a potential nexus to terrorism (i.e., to be reasonably indicative of
pre-operational planning associated with terrorism). (See Section II. D. 3. below, Analysis and
Production). “Reasonably indicative” is a determination that takes into account (1) the
circumstances in which the observation is made, which creates in the mind of the reasonable
observer an articulable concern that the behavior may indicate pre-operational planning
associated with terrorism or other criminal activity; and (2) the training and expertise of a
reasonable law enforcement officer, in cases in which an officer is the observer or documenter of
the SAR, who may be informed by specific or general threat bulletins, trip wire reports, or other
information or intelligence. The term “pre-operational planning” refers to those activities that
are associated with a known or particular planned criminal operation or with terrorist operations
generally.
3 Identified in Part B of this Functional Standard, the 16 pre-operational behaviors are criminal in nature either
because they are inherently criminal (e.g., breach, theft, sabotage) or because they are being engaged in to further a
terrorism operation (e.g., testing or probing of security, observation/surveillance, materials acquisition). The
pre-operational behavioral criteria and categories are listed in Part B of this Functional Standard. 4 All references to Federal and SLTT law enforcement agencies are intended to encompass civilian law enforcement,
military police, and other security professionals. 5 All references to homeland security are intended to encompass public safety, emergency management, and other
officials who routinely participate in the State or major urban area’s homeland security preparedness activities. 6 The determination of an ISE-SAR is a two-part process: (1) at the State or major urban area fusion center or
Federal agency, an analyst or law enforcement officer reviews the newly reported information for suspicious
behavior based on his or her training and expertise and against ISE-SAR behavior criteria; and (2) based on the
context, facts, and circumstances, the analyst or investigator determines whether the information meeting the criteria
has a potential nexus to terrorism (i.e., to be reasonably indicative of pre-operational planning associated with
terrorism).
9
ISE-FS-200
A determination that a SAR constitutes an ISE-SAR is made as part of a two-part vetting process
by a trained analyst or investigator who takes into account the reported circumstances of the
SAR, including both the training and experience of the law enforcement or homeland security
personnel reporting the behavior, to confirm that the reasonably indicative determination has
been met.7 The analyst or investigator then compares the SAR with information from available
databases and resources, reviews the behavior against the Part B (ISE-SAR Criteria Guidance)
pre-operational terrorism behaviors, and then makes a judgment as to whether, given the context,
facts, and circumstances available, there is a potential nexus to terrorism (i.e., to be reasonably
indicative of pre-operational planning associated with terrorism). Part B provides a more
thorough explanation of ISE-SAR pre-operational behavior criteria and highlights the importance
of the trained analyst or investigator taking into account the context, facts, and circumstances in
reviewing suspicious behaviors to identify those SARs with a potential nexus to terrorism (i.e., to
be reasonably indicative of pre-operational planning associated with terrorism). The following
are select examples of the 16 terrorism pre-operational behavioral categories, set forth in Part B,
that may be reasonably indicative of terrorism:
Expressed or implied threat
Theft/loss/diversion
Breach/attempted intrusion
Cyberattacks
Testing or probing of security8
It is important to stress that this behavior-focused approach to identifying suspicious activity
requires that factors such as race, ethnicity, gender, national origin, religion, sexual orientation,
or gender identity must not be considered as factors creating suspicion (but attributes may be
documented in specific suspect descriptions for identification purposes).9 The same
constitutional standards that apply when conducting ordinary criminal investigations also apply
to Federal and SLTT law enforcement and homeland security officers collecting information
about suspicious activity. The ISE-SAR Functional Standard does not alter law enforcement
officers’ constitutional obligations when interacting with the public. This means, for example, that constitutional protections and agency policies and procedures that apply to a law
7 In assessing whether behavior constitutes “suspicious activity,” law enforcement and homeland security personnel
should consider all of the circumstances in which the behavior was observed, including knowledge such personnel
may have had of any emerging threats or tradecraft, such as those based on specific or general threat bulletins, trip
wire reports, or other information or intelligence. 8 For a full list and explanation of the behavioral categories, behavioral criteria, and descriptive examples, see Part
B. 9 Consideration and documentation of race, ethnicity, gender, national origin, religion, sexual orientation, or gender
identity shall be consistent with applicable guidance, including, for federal law enforcement officers, Guidance for
Federal Law Enforcement Agencies regarding the Use of Race, Ethnicity, Gender, National Origin, Religion, Sexual
information directly to the responsible FBI JTTF14 for follow-on action against the identified
terrorist activity. In those cases in which the local agency can determine that an activity has a
direct connection to a terrorist event or pre-operational planning associated with terrorism, it will
provide the information directly to the responsible JTTF for use as the basis for an assessment or
investigation of a terrorism-related crime as appropriate.
3. Analysis and Production
The SLTT agency, fusion center, or Federal agency enters the SAR into an NSI SDR-connected
platform. The SAR undergoes a two-part review process by a trained analyst or an investigator
to establish or discount a potential nexus to terrorism (i.e., discount that it is reasonably
indicative of pre-operational planning associated with terrorism). First, the trained analyst or law
enforcement investigator reviews the newly reported SAR information against 16 pre-operational
behaviors associated with terrorism that are identified in Part B of this ISE-SAR Functional
Standard, keeping in mind—when interpreting the behaviors—the importance of context, facts,
and circumstances.15 The analyst or investigator will then review the input against all available
knowledge and information for linkages to other suspicious or criminal activity and determine
whether the information reflects Part B behaviors.
Second, if the information reflects one or more Part B behaviors, the officer or analyst will apply
his or her professional judgment to determine whether, based on the available context, facts, and
circumstances, the information has a potential nexus to terrorism (i.e., to be reasonably indicative
of pre-operational planning associated with terrorism). If the officer or analyst cannot make this
explicit determination, the report will not be accessible in the NSI SDR, although it may be
retained in local fusion center or Federal agency files in accordance with established retention
policies and business rules or reported to the FBI or other law enforcement or homeland security
agencies under other legal authorities. However, if that determination is made by the analyst or
investigator, the SAR will either be submitted immediately to the NSI SDR or forwarded for
secondary review and approval, which may lead to submission to the NSI SDR.
As described in Part B, the activities listed as “Potential Criminal or Non-Criminal Activity” are
not inherently criminal behaviors and are potentially constitutionally protected; thus, additional
facts or circumstances must be articulated in the incident.
4. Dissemination
Once a SAR has been determined to meet Part B behavior criteria and have a potential nexus to
terrorism (i.e., to be reasonably indicative of pre-operational planning associated with terrorism),
the SAR becomes an ISE-SAR and is formatted in accordance with the ISE-SAR Information
Exchange Package Document (IEPD) format described in Sections III and IV. The ISE-SAR is
14 SARs that do not require an immediate law enforcement response should nonetheless be made available to JTTFs
for a coordinated evaluation, including, but not limited to, comparing the information with other holdings available
to the FBI as a member of the Intelligence Community. 15 It is important to note that the analyst or investigator should not make assumptions or presumptions as to why an
individual acted or failed to act in a certain way; rather, the determination that the behavior is suspicious should be
based on the behavior observed or on documented circumstances.
then uploaded by the submitting agency, where it is immediately provided to the FBI for an
assessment-level investigation and made available to all other NSI participants. This allows
authorized law enforcement agencies and fusion centers to be cognizant of all terrorism-related
suspicious activity in their respective areas of responsibility, consistent with the information flow
description in Part C, and allows the FBI to take investigative action as appropriate and in
coordination with or with the knowledge of the source agency. Although the ISE-SAR has been
shared with all NSI participants, it remains under the ownership and control of the submitting
organization (i.e., SLTT law enforcement agency, fusion center, or Federal agency that made the
initial determination that the activity constituted an ISE-SAR) and the ISE-SAR is then uploaded
to the NSI SDR.
By this stage of the process, all initially reported SARs have been through multiple levels of
review by trained personnel and, to the maximum extent possible, those SARs without a
potential nexus to terrorism have been filtered out. SARs that are vetted, approved, and made
available for sharing in the NSI SDR are ISE-SARs and can be presumed by Federal, State, and
local analytic personnel to have a potential nexus to terrorism (i.e., to be reasonably indicative of
pre-operational planning associated with terrorism), and information derived from them can be
used along with other sources to support JTTF or other counterterrorism operations or to develop
counterterrorism analytic products. As in any analytic process, however, all information is
subject to further review and validation. Analysts must coordinate with the submitting
organization for deconfliction and are responsible for obtaining and using any available relevant
information in the applicable analytic product. To appropriately safeguard privacy, civil rights,
and civil liberties, analytical programs should be conducted in accordance with agency policies
and procedures, including privacy policies, and records management schedules and should
implement auditing and accountability measures.
Once ISE-SARs are accessible in the NSI SDR, they can be used to support a range of
counterterrorism analytic and operational activities. This step involves the actions necessary to
integrate ISE-SAR information into existing counterterrorism analytic and operational processes,
including efforts to “connect the dots,” identify information gaps, and develop formal analytic products.
5. Reevaluation16
Operational feedback on the status of ISE-SARs is an essential element of an effective NSI
process with important implications for privacy, civil rights, and civil liberties. First of all, it is
important to notify source organizations when information they provide is designated as an ISE-
SAR by a submitting organization and made available for sharing—a form of positive feedback
that lets organizations know that their initial suspicions have some validity. Second, once the
FBI assigns and assesses an ISE-SAR, the submitting organization is electronically notified of
the FBI field office investigating the SAR and the results of the assessment. These results are
maintained in the disposition section of the ISE-SAR for all NSI participants to review.
16 The reevaluation phase also encompasses the establishment of an integrated counterterrorism information needs
process, a process that does not relate directly to information exchanges through this standard. See page 23 of the
2008 NSI CONOPS for more details.
15
ISE-FS-200
E. Broader ISE-SAR Applicability
Consistent with the ISE Privacy Guidelines and Presidential Guideline 2, and to the full extent
permitted by law, this ISE-SAR Functional Standard is designed to support the sharing of
unclassified information or sensitive but unclassified (SBU)/controlled unclassified information
(CUI) within the NSI SDR. There is also a provision for using a data element indicator for
designating classified national security information as part of the ISE-SAR record, as necessary.
This condition could be required under special circumstances for protecting the context of the
event, or specifics or organizational associations of affected locations. The State or major urban
area fusion center or the FBI’s Guardian Management Unit (GMU) or JTTF acts as a key conduit between the SLTT agencies and other NSI participants. It is important to note that, although
many SAR source agencies and ISE-SAR consumers have responsibilities beyond terrorist
activities, the NSI ISE-SAR concept is focused exclusively on terrorism-related information. Of
special note, there is no intention to modify or otherwise affect, through this ISE-SAR Functional
Standard, the currently supported or mandated direct interactions between SLTT law
enforcement and investigatory personnel and the FBI’s JTTFs and/or FIGs.
This ISE-SAR Functional Standard will be used as the ISE-SAR information exchange standard
for all NSI participants. Although the extensibility of this ISE-SAR Functional Standard does
support customization for unique communities, jurisdictions planning to modify this ISE-SAR
Functional Standard must carefully consider the consequences of customization. The PM-ISE
requests that modification follow a formal change request process through the ISA IPC as
appropriate, for both community coordination and consideration. Further, messages that do not
conform to this Functional Standard may not be consumable by the receiving organization and
may require modifications by the nonconforming organizations.
F. Other Information Sharing Authorities
The ISE-SAR process does not supersede other information or intelligence gathering, collection,
or sharing authority, including the authority to share information between and among Federal
agencies and SLTT agencies where the information is related to homeland security, terrorism, or
other Federal crimes.
Multiple Federal agencies currently have the authority to collect terrorism-related tips and leads.
However, only those tips and leads that comply with the ISE-SAR Functional Standard are
broadly shared with NSI participants. At the SLTT level, crime and terrorism information,
including terrorism-related non-ISE-SAR information, can and should be reported to appropriate
Federal agencies based on their relevant legal authorities.17
17 As an example, SLTT agencies may provide terrorism-related source data that leads to the creation of an
Intelligence Information Report (IIR), which is ultimately shared with the federal Intelligence Community. In
addition, SLTT agencies often enhance existing federal data by providing local context for an assortment of
Intelligence Community partners (e.g., Drug Enforcement Administration and DHS components). A third example
relates to terrorism-related leads that do not meet the requirements of the ISE-SAR Functional Standard but may
require investigative follow-up by the FBI. Under the latter circumstance, non-ISE-SAR information may be
(Note that the mapping indicates context and we are not
reusing Contact Information components)
Extended XML Elements
Additional data elements are also identified as new elements outside of NIEM, Version 2.0.
These elements are listed below:
AdditionalDetailsIndicator: Identifies whether more ISE-SAR details are available at the
authoring/submitting agency/organization than what has been provided in the information
exchange.
AssignedByText: Organizational identifier that describes the organization performing a follow-
up activity. This is designed to keep all parties interested in a particular ISE-SAR informed of
concurrent investigations.
AssignedToText: Text describing the person or suborganization that will be performing the
designated follow-up action.
ClassificationReasonText: A reason why the classification was made as such.
ContentValidityCode: Validity of the content, in the assessment of the reporting organization:
could be one of “confirmed,” “doubtful,” or “cannot be judged.”
ConveyanceTrack/Intent: A direction by heading and speed or route and/or waypoint of
conveyance.
35
ISE-FS-200
CriticalInfrastructureIndicator: Critical infrastructure, as defined by 42 USC Sec. 5195c,
means systems and assets, whether physical or virtual, so vital to the United States that the
incapacity or destruction of such systems and assets would have a debilitating impact on
security, national economic security, national public health or safety, or any combination of
those matters.
ICAOAirfieldCodeforDeparture: An International Civil Aviation Organization (ICAO) airfield
code for departure. Indicates aircraft, crew, passengers, and cargo on conveyance location
information.
ICAOAirfieldCodeforPlannedDestination: An airfield code for planned destination. Indicates
aircraft, crew, passengers, and cargo on conveyance location information.
ICAOforActualDestination: An airfield code for actual destination. Indicates aircraft, crew,
passengers, and cargo on conveyance location information.
ICAOAirfieldforAlternate: An airfield code for Alternate. Indicates aircraft, crew, passengers,
and cargo on conveyance location information.
NatureofSource-Code: Nature of the source: Could be one of “anonymous tip,” “confidential
source,” “trained interviewer,” “written statement—victim, witness, other,” “private sector,” or
“other source.”
PrivacyFieldIndicator: Data element that may be used to identify an individual and therefore is
subject to protection from disclosure under applicable privacy rules. Removal of privacy fields
from a detailed report will result in a summary report. This privacy field informs users of the
summary information exchange that additional information may be available from the originator
of the report.
ReportPurgeDate: The date by which the privacy fields will be purged from the record system;
general observation data is retained. Purge policies vary from jurisdiction to jurisdiction and
should be indicated as part of the guidelines.
ReportPurgeReviewDate: Date of review to determine the disposition of the privacy fields in a
detailed ISE-SAR IEPD record.
SourceReliabilityCode: Reliability of the source, in the assessment of the reporting
organization: could be one of “reliable,” “unreliable,” or “unknown.”
VesselHailingPort: The identifying attributes of the hailing port of a vessel.
VesselNationalFlag: A data concept for a country flag under which a vessel sails.
36
ISE-FS-200
SECTION V: INFORMATION EXCHANGE IMPLEMENTATION ARTIFACTS
A. Domain Model
General Domain Model Overview
The domain model provides a visual representation of the business data requirements and
relationships (Figure 2). This Unified Modeling Language (UML)-based Model represents the
Exchange Model artifact required in the information exchange development methodology. The
model is designed to demonstrate the organization of data elements and illustrate how these
elements are grouped together into classes. Further, it describes relationships between these
classes. A key consideration in the development of a domain model is that it must be
independent of the mechanism intended to implement the model. The domain model is actually
a representation of how data is structured from a business context. As the technology changes
and new Functional Standards emerge, developers can create new standards mapping documents
and schema tied to a new standard without having to readdress business process requirements.
37
ISE-FS-200
Figure 2 – UML-based Model
38
ISE-FS-200
B. General Mapping Overview
The detailed component mapping template provides a mechanism to cross-reference the business
data requirements documented in the domain model to their corresponding XML Element in the
XML Schema. It includes a number of items to help establish equivalency including the business
definition and the corresponding XML Element Definition.
C. ISE-SAR Mapping Overview
The Mapping Spreadsheet contains seven unique items for each ISE-SAR data class and element.
The Mapping Spreadsheet columns are described in this section.
Table 4 – Mapping Spreadsheet Column Descriptions
Spreadsheet
Name and Row Description
Privacy Field
Indicator
This field indicates that the information may be used to identify an individual.
Source Class/
Element
Content in this column is either the data class (grouping of data elements) or the
actual data elements. Classes are highlighted and denoted with cells that contain
blue background, while elements have a white background. The word “Source” is
referring to the ISE-SAR information exchange.
Source
Definition
The content in this column is the class or element definition defined for this ISE-
SAR information exchange. The word “Source” is referring to the ISE-SAR
information exchange definition.
Target Element The content in this column is the actual namespace path deemed equal to the related
ISE-SAR information exchange element.
Target Element
Definition
The content in this column provides the definition of the target or NIEM element
located at the aforementioned source path. “Target” is referring to the NIEM
definition.
Target Element
Base
Indicates the data type of the terminal element. Data types of niem-xsd:String or
nc:TextType indicate free-form text fields.
Mapping
Comments
Provides technical implementation information for developers and implementers of
the information exchange.
D. Schemas
The ISE-SAR Functional Standard contains the following compliant schemas:
Subset Schema
Exchange Schema
Extension Schema
Wantlist
39
ISE-FS-200
E. Examples
The ISE-SAR Functional Standard contains two samples that illustrate exchange content as listed
below.
XSL Style Sheet
This information exchange artifact provides an implementer and users with a communication
tool that captures the look and feel of a familiar form, screen, or like peripheral medium for
schema translation testing and user validation of business rules.
XML Instance
This information exchange artifact provides an actual payload of information with data content
defined by the schema.
40
ISE-FS-200
PART B—ISE-SAR CRITERIA
GUIDANCE
Part B provides a more thorough explanation of ISE-SAR pre-operational behavioral categories
and criteria. This guidance highlights the importance of having a trained analyst or investigator
take into account the context, facts, and circumstances in reviewing suspicious behaviors to
identify those SARs with a potential nexus to terrorism (i.e., to be reasonably indicative of pre-
operational planning associated with terrorism). It is important to understand, however, that the
behavioral categories and criteria listed below reflect studies of prior terrorism incidents and are
not intended to be limited in any way by the descriptive examples.19 The descriptive examples
outlined below in the third column do not represent all possible examples that relate to ISE-SAR
submissions. They are provided as a nonexhaustive list of illustrations of pre-operational
behaviors that may support the documentation and submission of an ISE-SAR based on the
contextual assessment of the reviewing analyst or investigator.
In order to ensure that Part B is responsive to changes in the threat environment, the ISA IPC
will establish a formal process for reviewing and updating the behavioral categories in the first
column and the behavioral criteria set forth in the second column. (See the chart below.) The
process will involve coordination and consultation between and among NSI participants and
other stakeholders, who will examine the current body of knowledge regarding terrorism and
other criminal activity. This process will result in the issuance of an update to the ISE-SAR
Functional Standard when revisions are made to either or both of the first or second columns.
As needed, the DHS, in conjunction with the FBI, will guide a separate process to allow for
interim updates to the descriptive examples contained in the third column of Part B. Updates to
the third column will be based on field experience (e.g., emerging threats, trip wire reports, and
other intelligence) and will be documented in the change management chart20 of the ISE-SAR
Functional Standard, rather than reissuance of the ISE-SAR Functional Standard by the PM-ISE.
The nine behaviors identified below as “Potential Criminal or Non-criminal Activity Requiring
Additional Information During Vetting” are not inherently criminal behaviors and may include
constitutionally protected activities that must not be documented in an ISE-SAR that contains PII
unless there are articulable facts or circumstances that clearly support the determination that the
behavior observed is not innocent, but rather reasonably indicative of pre-operational planning
associated with terrorism. Race, ethnicity, gender, national origin, religion, sexual orientation, or
19 In addition to the descriptive examples listed in Part B and in order to further enhance NSI participants’ understanding of the Part B behavioral categories and criteria, the DHS, in conjunction with the FBI, may develop
additional examples to be included in implementation materials (e.g., the Vetting ISE-SAR Data guidance) or
delivered through training. Additionally, relevant federal and SLTT law enforcement agencies may identify and
report additional examples of terrorism behavior within the 16 behavioral categories to the DHS or the FBI. 20 This chart is included on page 6 of this Functional Standard.
Testing or Deliberate interactions with, or An individual who refused to Probing of challenges to, installations, identify himself to facility personnel
Security personnel, or systems that
reveal physical, personnel, or
cybersecurity capabilities in a
manner that would arouse
suspicion of terrorism or other
criminality in a reasonable
person.
at a shipping port reported that he
was representing the governor’s
office and wanted to access the
secure area of a steel manufacturer’s
space. He was inquiring about the
presence of foreign military
personnel. The individual fled when
he realized that personnel were
contacting the security office about
his activities. He ran through the
lobby and departed in a vehicle with
an out-of-state license plate and
containing two other individuals.
An individual discharged a fire
extinguisher in a stairwell of a hotel
and set off the building’s fire alarm.
This individual was observed
entering the hotel approximately two
minutes before the alarm sounded,
was observed exiting from the
stairwell at about the same time as
the alarm, and then was observed in
the lobby area before leaving the
hotel.
Recruiting/ Providing direct financial A prison inmate reported an effort to
Materials Acquisition and/or storage of A garden center owner reported an Acquisition/ unusual quantities of materials individual in his twenties seeking to